Online Express is PCI compliant, but the webpage where the Online Express form is embedded may not be PCI-compliant. Because of this, we highly encourage Online Express customers to take appropriate security measures on the webpages where their Online Express forms will be embedded.
How can I confirm my webpage is PCI compliant?
For further information regarding how your organization can ensure your website is PCI compliant, please refer to the PCI Security Standards Council.
Why is there a "Security Warning" on my donation form dashboard in the Online Express plugin?
This means that your organization has one or more Online Express forms embedded on a webpage where SSL is not enabled.
Am I required to enable SSL? If so, which vendor should I use?
While enabling SSL is not “required”, this is suggested as a means of adding an additional layer of security so that visitors to your website are assured that the webpage they are accessing is secure.
How will embedding my forms in a non-SSL enabled webpage impact my donors?
If your Online Express form is embedded on a webpage where SSL is not enabled, visitors who navigate to the webpage where your Online Express form is embedded will see an "Insecure" warning in their web browser. While donors will be able to successfully and securely make donations to your forms, the "Insecure" warning might deter potential donors from submitting a donation to the form.
Which vendor should I use when purchasing my SSL certificate? How do I enable SSL on my webpage(s)?
If your organization has questions regarding what vendor to use when purchasing your SSL certificate or how to enable SSL, this is beyond Blackbaud’s scope of support, so we recommend contacting a qualified IIS professional.
Are there any other security measures I should take with my Online Express forms?
For further information regarding what to consider before embedding your Online Express form into your website, please visit our Blackbaud Online Express Tips for protecting your donor page, which further discusses the following topics:
- Enable Secure Sockets Layer (SSL)
- Comply with the Payment Card Industry Data Security Standard (PCI DSS)
- Limit page content
- Do not render editable data
The connection between the donor’s browser and the Blackbaud server is encrypted via SSL; even if the page where your organization embeds the Online Express script isn’t protected by a valid SSL certificate. So the important data connection is secured anyway, but donors have no way of knowing that and if they see a gigantic “insecure” warning in their browser, this might deter potential donors from submitting a donation to the form. This is one of the main reasons why we highly encourage all Online Express customers to have an SSL certificate enabled on any page where they embed an Online Express form. This is also why we say “While Online Express IS PCI compliant, the webpage where you’re embedding your Online Express form may not be compliant.”